Merge branch '335075_add_files_api_throttling_settings' into 'master'

Add Files API throttling to application settings

See merge request gitlab-org/gitlab!68559

app/helpers/application_settings_helper.rb

@@ -315,12 +315,18 @@ module ApplicationSettingsHelper
       :throttle_authenticated_packages_api_enabled,
       :throttle_authenticated_packages_api_period_in_seconds,
       :throttle_authenticated_packages_api_requests_per_period,
+      :throttle_authenticated_files_api_enabled,
+      :throttle_authenticated_files_api_period_in_seconds,
+      :throttle_authenticated_files_api_requests_per_period,
       :throttle_unauthenticated_enabled,
       :throttle_unauthenticated_period_in_seconds,
       :throttle_unauthenticated_requests_per_period,
       :throttle_unauthenticated_packages_api_enabled,
       :throttle_unauthenticated_packages_api_period_in_seconds,
       :throttle_unauthenticated_packages_api_requests_per_period,
+      :throttle_unauthenticated_files_api_enabled,
+      :throttle_unauthenticated_files_api_period_in_seconds,
+      :throttle_unauthenticated_files_api_requests_per_period,
       :throttle_protected_paths_enabled,
       :throttle_protected_paths_period_in_seconds,
       :throttle_protected_paths_requests_per_period,

app/models/application_setting.rb

@@ -479,6 +479,14 @@ class ApplicationSetting < ApplicationRecord
             presence: true,
             numericality: { only_integer: true, greater_than: 0 }
 
+  validates :throttle_unauthenticated_files_api_requests_per_period,
+            presence: true,
+            numericality: { only_integer: true, greater_than: 0 }
+
+  validates :throttle_unauthenticated_files_api_period_in_seconds,
+            presence: true,
+            numericality: { only_integer: true, greater_than: 0 }
+
   validates :throttle_authenticated_api_requests_per_period,
             presence: true,
             numericality: { only_integer: true, greater_than: 0 }
@@ -503,6 +511,14 @@ class ApplicationSetting < ApplicationRecord
             presence: true,
             numericality: { only_integer: true, greater_than: 0 }
 
+  validates :throttle_authenticated_files_api_requests_per_period,
+            presence: true,
+            numericality: { only_integer: true, greater_than: 0 }
+
+  validates :throttle_authenticated_files_api_period_in_seconds,
+            presence: true,
+            numericality: { only_integer: true, greater_than: 0 }
+
   validates :throttle_protected_paths_requests_per_period,
             presence: true,
             numericality: { only_integer: true, greater_than: 0 }

app/models/application_setting_implementation.rb

@@ -167,6 +167,9 @@ module ApplicationSettingImplementation
         throttle_authenticated_packages_api_enabled: false,
         throttle_authenticated_packages_api_period_in_seconds: 15,
         throttle_authenticated_packages_api_requests_per_period: 1000,
+        throttle_authenticated_files_api_enabled: false,
+        throttle_authenticated_files_api_period_in_seconds: 15,
+        throttle_authenticated_files_api_requests_per_period: 500,
         throttle_incident_management_notification_enabled: false,
         throttle_incident_management_notification_per_period: 3600,
         throttle_incident_management_notification_period_in_seconds: 3600,
@@ -179,6 +182,9 @@ module ApplicationSettingImplementation
         throttle_unauthenticated_packages_api_enabled: false,
         throttle_unauthenticated_packages_api_period_in_seconds: 15,
         throttle_unauthenticated_packages_api_requests_per_period: 800,
+        throttle_unauthenticated_files_api_enabled: false,
+        throttle_unauthenticated_files_api_period_in_seconds: 15,
+        throttle_unauthenticated_files_api_requests_per_period: 125,
         time_tracking_limit_to_hours: false,
         two_factor_grace_period: 48,
         unique_ips_limit_enabled: false,

db/migrate/20210819120243_add_throttle_files_api_columns.rb

+# frozen_string_literal: true
+
+class AddThrottleFilesApiColumns < ActiveRecord::Migration[6.1]
+  def change
+    add_column :application_settings, :throttle_unauthenticated_files_api_requests_per_period, :integer, default: 125, null: false
+    add_column :application_settings, :throttle_unauthenticated_files_api_period_in_seconds, :integer, default: 15, null: false
+    add_column :application_settings, :throttle_authenticated_files_api_requests_per_period, :integer, default: 500, null: false
+    add_column :application_settings, :throttle_authenticated_files_api_period_in_seconds, :integer, default: 15, null: false
+
+    add_column :application_settings, :throttle_unauthenticated_files_api_enabled, :boolean, default: false, null: false
+    add_column :application_settings, :throttle_authenticated_files_api_enabled, :boolean, default: false, null: false
+  end
+end

db/schema_migrations/20210819120243

+5c74d34171ed9129ffbb3efe5417da1ba857cd729837544e58074debd5afca88
\ No newline at end of file

db/structure.sql

@@ -9606,6 +9606,12 @@ CREATE TABLE application_settings (
     encrypted_customers_dot_jwt_signing_key bytea,
     encrypted_customers_dot_jwt_signing_key_iv bytea,
     pypi_package_requests_forwarding boolean DEFAULT true NOT NULL,
+    throttle_unauthenticated_files_api_requests_per_period integer DEFAULT 125 NOT NULL,
+    throttle_unauthenticated_files_api_period_in_seconds integer DEFAULT 15 NOT NULL,
+    throttle_authenticated_files_api_requests_per_period integer DEFAULT 500 NOT NULL,
+    throttle_authenticated_files_api_period_in_seconds integer DEFAULT 15 NOT NULL,
+    throttle_unauthenticated_files_api_enabled boolean DEFAULT false NOT NULL,
+    throttle_authenticated_files_api_enabled boolean DEFAULT false NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
     CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),

spec/models/application_setting_spec.rb

@@ -931,6 +931,10 @@ RSpec.describe ApplicationSetting do
           throttle_unauthenticated_packages_api_period_in_seconds
           throttle_authenticated_packages_api_requests_per_period
           throttle_authenticated_packages_api_period_in_seconds
+          throttle_unauthenticated_files_api_requests_per_period
+          throttle_unauthenticated_files_api_period_in_seconds
+          throttle_authenticated_files_api_requests_per_period
+          throttle_authenticated_files_api_period_in_seconds
         ]
       end
 

spec/services/application_settings/update_service_spec.rb

@@ -362,6 +362,32 @@ RSpec.describe ApplicationSettings::UpdateService do
     end
   end
 
+  context 'when files API rate limits are passed' do
+    let(:params) do
+      {
+        throttle_unauthenticated_files_api_enabled: 1,
+        throttle_unauthenticated_files_api_period_in_seconds: 500,
+        throttle_unauthenticated_files_api_requests_per_period: 20,
+        throttle_authenticated_files_api_enabled: 1,
+        throttle_authenticated_files_api_period_in_seconds: 600,
+        throttle_authenticated_files_api_requests_per_period: 10
+      }
+    end
+
+    it 'updates files API throttle settings' do
+      subject.execute
+
+      application_settings.reload
+
+      expect(application_settings.throttle_unauthenticated_files_api_enabled).to be_truthy
+      expect(application_settings.throttle_unauthenticated_files_api_period_in_seconds).to eq(500)
+      expect(application_settings.throttle_unauthenticated_files_api_requests_per_period).to eq(20)
+      expect(application_settings.throttle_authenticated_files_api_enabled).to be_truthy
+      expect(application_settings.throttle_authenticated_files_api_period_in_seconds).to eq(600)
+      expect(application_settings.throttle_authenticated_files_api_requests_per_period).to eq(10)
+    end
+  end
+
   context 'when issues_create_limit is passed' do
     let(:params) do
       {